Skip to content

VPN on MikroTik

OpenVPN

Source https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/

Enable the cloud name (DDNS)

/ip cloud set ddns-enabled=yes

Get the FQDN

/ip cloud print

Looks like <serial>.sn.mynetname.net.

Create the certificates

CA certificate.

/certificate add name=ca-template common-name=<serial>.sn.mynetname.net days-valid=365 key-size=2048 key-usage=crl-sign,key-cert-sign

Server certificate.

/certificate add name=server-template common-name=*.<serial>.sn.mynetname.net days-valid=365 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server

Client certificate.

/certificate add name=client-template common-name=client.<serial>.sn.mynetname.net days-valid=365 key-size=2048 key-usage=tls-client

Sign the certificates

CA certificate.

/certificate sign ca-template name=ca-certificate

Server certificate.

/certificate sign server-template name=server-certificate ca=ca-certificate

Client certificate.

/certificate sign client-template name=client-certificate ca=ca-certificate

Export the certificates

Export the ca certificate.

/certificate export-certificate ca-certificate export-passphrase=""

Export the client certificate.

/certificate export-certificate client-certificate export-passphrase=12345678

This should give you three files inside the router:

  • cert_export_ca-certificate.crt rename to ca.crt
  • cert_export_client-certificate.crt rename to client.crt
  • cert_export_client-certificate.key rename to client.key

You can download the files easily with scp:

scp mikrotik:/cert_export_ca-certificate.crt ca.crt
scp mikrotik:/cert_export_client-certificate.crt client.crt
scp mikrotik:/cert_export_client-certificate.key client.key

Ip pool addresses

/ip pool add name="vpn-pool" ranges=192.168.8.10-192.168.8.99

Encryption profile

/ppp profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool
/ppp secret add name=user profile=vpn-profile password=password

OpenVPN Interface

/interface ovpn-server server set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes

Firewall

/ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept comment="Allow OpenVPN" in-interface=ether1

If you want to use firewall rules with the ovpn interface you need to establish a static name for the interface with /interface ovpn-server add name=ovpn-yu user=yu.

Connect

You need all the previous exported certificates in the same folder as client.conf.

Example config file client.conf:

client
dev tun
proto tcp
remote 10.0.5.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3

Start the tunnel in Linux:

openvpn client.conf

Enter Auth Username: user
Enter Auth Password: password
Enter Private Key Password: 12345678

Check the clients connected

/interface ovpn-server print

Add new client

Generate a password with openssl rand -base64 32.

/certificate add name=<certname> common-name=<hostname> days-valid=365 key-size=2048 key-usage=tls-client
/certificate sign <certname> ca=<cacertname>
/certificate export-certificate <cacertname> export-passphrase="" # The password MUST be empty to export only the public cert.
/certificate export-certificate <certname> export-passphrase="<passphrase1>"

/ppp secret add name=<username> profile=<vpnprofilename> password="<passphrase2>"
/interface ovpn-server add name=<interfacename> user=<username> # This step is so you can create custom firewall rules for each profile

/ip firewall filter add action=accept chain=forward dst-address=10.0.0.1 dst-port=443 in-interface=<interfacename> out-interface=ether3 protocol=tcp place-before=54

SSTP VPN

https://www.medo64.com/2017/01/simple-sstp-server-on-mikrotik/